-
July 19th, 2010, 10:04 PM
#1
Timing Attacks
I found this article rather interesting:
http://www.itbusiness.ca/it/client/e...s.asp?id=58406
They crack passwords by measuring the time it takes for a computer to respond to a login request. On some login systems, the computer will check password characters one at a time, and kick back a "login failed" message as soon as it spots a bad character in the password. This means a computer returns a completely bad login attempt a tiny bit faster than a login where the first character in the password is correct. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords.
This has been around as a concept for 25 years or so, but a couple of guys reckon that it is not so difficult as previously thought.
-
July 20th, 2010, 02:38 PM
#2
Wouldn't this have been easier 25 years ago though? I mean 25 years ago, this form of attack had the following things going for it:
#1. People who weren't trained in Computers (Which wasn't many, this would have been 1984) used passwords they could remember, and didn't think much about "Haxors".
#2. CPUs 25 years ago were slow enough that you could WATCH this. Today, with CPUs more than 20x the speed of the average system back then, and of course, Ethernet being more than a few MBs a second, and most people using a WAY slower net connection.... Wouldn't it have been easier then? I mean back then, a 1MHz system, you could almost use a Stop Watch to do this lol. Today it would be a difference in like, Milliseconds.
It is interesting though. I haven't used much in my days for password cracking... Being a person who think Social Engineering is still very viable, and someone who also uses password crackers and sniffers for those non-encrypted ones, and basically nothing else, I've used what works when I needed to.
When I first started using Linux, I tried cracking my passwords, but it rarely got far. I've been pretty good about that. Ever since my VERY first password EVER back in September of 1999, which was "azsxdc". I know, it sucks, and it's easy, but, it wasn't a word, and I was using a Computer seriously for the very first time.
-
July 20th, 2010, 04:32 PM
#3
The problem with this attack is that it is very noisy. If my assumptions are correct, in order to cope with the timing issues presented by the internet, they will have to try each letter many times and take an average of it. The attack is definitely feasible, but has a lot of issues in my opinion. The biggest concern is the network traffic and how that affects the time with responses coupled with the fact that you are looking for differences in time that is literally nanoseconds. This kind of makes me think of the attack being impractical but I will have to see what the researchers say. They could have somehow found a way to make network response time reliable
-
July 20th, 2010, 06:36 PM
#4
Originally Posted by SnugglesTheBear
The problem with this attack is that it is very noisy. If my assumptions are correct, in order to cope with the timing issues presented by the internet, they will have to try each letter many times and take an average of it. The attack is definitely feasible, but has a lot of issues in my opinion. The biggest concern is the network traffic and how that affects the time with responses coupled with the fact that you are looking for differences in time that is literally nanoseconds. This kind of makes me think of the attack being impractical but I will have to see what the researchers say. They could have somehow found a way to make network response time reliable
Heh, I was agreeing with you in an AP assignment and I think I just boosted you quite a bit lol. Man that's awesome lol, your two dots just got more friends from one AP assignment lol. Anyway, I thought I'd post just in case someone wondered how the crap someone went from TWO APs to like 5 in one post. It's not abuse, I gave him a greenie for that post.
-
July 20th, 2010, 07:48 PM
#5
Originally Posted by gore
Heh, I was agreeing with you in an AP assignment and I think I just boosted you quite a bit lol. Man that's awesome lol, your two dots just got more friends from one AP assignment lol. Anyway, I thought I'd post just in case someone wondered how the crap someone went from TWO APs to like 5 in one post. It's not abuse, I gave him a greenie for that post.
heh, I was wondering that myself >.< Looks like I now have enough green to romp with the big leagues <@)
-
July 20th, 2010, 09:41 PM
#6
Yes, there are a ton of variables in this. It seems it could be mitigated pretty easily by putting a random delay in the range of 1-15ms before sending back a response upon a bad password being entered...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
July 21st, 2010, 10:06 PM
#7
Hey westin!
Yeah, my first thoughts on mitigation was have the password submitted in its entirety and check it in its entirety before giving a virtually identically similar response time reply.
My thinking was to look at the % of error............humans won't make that high a %?.............a typo, transposition error or something like that?
Then you will know if you have an attack.
-
July 22nd, 2010, 03:25 PM
#8
even a simple tar pit would make this attack not viable. >.<
-
July 26th, 2010, 03:47 AM
#9
Originally Posted by gore
#2. CPUs 25 years ago were slow enough that you could WATCH this. Today, with CPUs more than 20x the speed of the average system back then, and of course, Ethernet being more than a few MBs a second, and most people using a WAY slower net connection.... Wouldn't it have been easier then? I mean back then, a 1MHz system, you could almost use a Stop Watch to do this lol. Today it would be a difference in like, Milliseconds.
This doesn't really change anything. Assuming that the response time of the connection is reliable (local attack, attack using server side timer ex google: "About 4,580,000 results (0.54 seconds)"), a program can be written using a smaller measurement of time than seconds, or even ms. Ticks, for example, http://msdn.microsoft.com/en-us/libr...ime.ticks.aspx
are a pretty small unit of measurement when dealing with time. For example, if a program were to have a linear scale of login response times, and if the first character is correct, the response takes X ticks, then two would take 2X, three would be 3X and so on. So the idea is the same as 25 years ago, its just scaled, where X would be a lot larger as you use an older computer. At least thats how I understand it.
-
July 27th, 2010, 09:42 AM
#10
Hmmmm..............
#2. CPUs 25 years ago were slow enough that you could WATCH this. Today, with CPUs more than 20x the speed of the average system back then,
I would try more like 2,000x................4.7MHz compared to 2.8GHz?............anyways, I agree, I just thought you understated your case a bit?
As for this threat, I don't take it that seriously, given that most decent systems give you 3-5 strikes before locking you out for at least 30 minutes?
Just look at the math?..............a random password of 12 characters will take forever?................my passwords are all >20 characters
Similar Threads
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By qod in forum The Security Tutorials Forum
Replies: 18
Last Post: January 5th, 2004, 02:30 PM
-
By NullDevice in forum The Security Tutorials Forum
Replies: 21
Last Post: December 17th, 2003, 10:03 PM
-
By Striek in forum The Security Tutorials Forum
Replies: 10
Last Post: December 16th, 2003, 09:30 PM
-
By sambeckett in forum Cryptography, Steganography, etc.
Replies: 1
Last Post: March 14th, 2003, 05:58 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|